Bug bounty guide Identification and reporting of bugs an | Technical Devang

Bug bounty guide



Identification and reporting of bugs and vulns in a responsible way.

All depends on interest and hardwork, not on degree, age, branch, college, etc.

What to study?

1. Internet, HTTP, TCP/IP
2. Networking
3. Command line
4. Linux
5. Web technologies, javascript, php, java
6. Atleast 1 prog language (Python/C/JAVA/Ruby..)

Choose your path (imp)

1. Web pentesting
2. Mobile pentesting
3. Desktop apps

Resources

1. Books

For web

1. Web app hackers handbook
2. Web hacking 101
3. Hacker's playbook 1,2,3
4. Hacking art of exploitation
5. Mastering modern web pen testing
6. OWASP Testing guide

For mobile

1. Mobile application hacker's handbook

Youtube channels

1. Hacking

1. Live Overflow
2. Hackersploit
3. Bugcrowd
4. Hak5
5. Hackerone

Programming

1. thenewboston
2. codeacademy

Writeups, Articles, blogs

1. Medium (infosec writeups)
2. Hackerone public reports
3. owasp.org
4. Portswigger
5. Reddit (Netsec)
6. DEFCON conference videos
7. Forums

Practice (imp)

Tools

1. Burpsuite
2. nmap
3. dirbuster
4. sublist3r
5. Netcat

Testing labs

1. DVWA
2. bWAPP
3. Vulnhub
4. Metasploitable
5. CTF365
6. Hack the box

Start!

Select a platform

1. Hackerone
2. Bugcrowd
3. Open bug bounty
4. Zerocopter
5. Antihack
6. Synack (private)

1. Choose wisely (first not for bounty)
2. Select a bug for hunt
3. Exhaustive search
4. Not straightforward always

REPORT:

5. Create a descriptive report
6. Follow responsible disclosure
7. Create POC and steps to reproduce

Words of wisdom

1. PATIENCE IS THE KEY, takes years to master, don't fall for overnight success
2. Do not expect someone will spoon feed you everything.
3. Confidence
4. Not always for bounty
5. Learn a lot
6. Won't find at the beginning, don't lose hope
7. Stay focused
8. Depend on yourself
9. Stay updated with infosec world

━━━━━━━━━━━━━